04-21-2012 07:00 AM - edited 03-11-2019 03:56 PM
Hello,
If anyone can help me with this problem please
:
I have FWSM Firewall Version 3.2.
When I want to use
nat (DMZ) 1 10.0.0.0 255.0.0.0 outside
global (INSIDE) 1 192.168.1.1 netmask 255.255.255.255
in order to use dynamic NAT from DMZ to INSIDE all other translation rules are not functioning from DMZ
i.e.all STATIC and NAT rules
static (INSIDE, STATIC) 192.168.0.0. 192.168.0.0. netmask 255.255.0.0.
nat (DMZ) 2 10.0.0.0 255.0.0.0
global (OUSIDE) 2 interface
I thought that static nat has priority but it seems that nat with outside statement runs over all other translations.
when I remove no nat (DMZ) 1 10.0.0.0 255.0.0.0 outside everything goes back to normal and I can ping everything from DMZ as before
Does anyone have experience with this?
Am I doing something wrong or this is normal behavior?
Regards,
A.
04-22-2012 05:36 AM
Hi,
All I can say is that I suggest using the NAT/GLOBAL statements only for the interfaces that "head out" of your local networks.
I never do PAT configurations between my own interfaces. Like DMZs and different LAN segments. I only do the PAT configurations towards OUTSIDE and perhaps some 3rd party connections.
Why not just allow the traffic between INSIDE and DMZ unnated?
- Jouni
04-23-2012 08:09 AM
Hi,
I use PAT so that I don't need to configure static routes on a large amount devices in LAN toward DMZ network.
Those LAN devices don't have default route toward firewall but to other router.
So in order for LAN devices to reach DMZ network I just need to configure PAT from DMZ to some LAN IP address.
Regards,
A.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide